Hardware Procurement

Requirements

• 2 individuals with appropriate role

  • Each needs a Personal PGP key pair

• Tamper-proofing equipment

• Sealable plastic bag is required for this procedure:

  • Alert Security bag

Procedure: Local Procurement

1. Selecting a Purchase Location

   • Select at multiple stores which carry the type of equipment being purchased, then randomly select one using the roll of a die, or other random method. This is done in order to reduce the likelihood that an insider threat is able to plant a compromised computer in a store ahead of time.

2. Within the store, identify available adequate device

3. Purchase the device and place it in a see-through plastic bag which will be used to transport it to a "processing location", which SHOULD be an access controlled space.

   • The bag MUST be a sealable see-through tamper evident bag. It may be necessary to remove the device from it's original packaging to fit it into the sealable bag.

4. If the equipment does not have to be tamper proofed, simply deliver it to its storage location, and update the inventory repository with the serial number of the device.

5. If the equipment does require tamper proofing, apply the appropriate level of tamper proofing for the security level you are performing the procurement for.

Procedure: Online Procurement

1. Select a well known and reputable supplier. Establishing a relationship with a hardware supplier that has a reputation for privacy, supply chain security is preferred.

2. Order the supplies to a registered mailbox, to prevent exposing your organization's location

Tamper Proofing

All hardware:

• MUST be procured using dual custody methods

• MUST be tamper proofed using vacuum sealing / stored in tamper evident vault

• MUST be properly labelled

• MUST be added to cryptographically signed inventory

Procedure

1. Insert object(s) into plastic sealing bag

2. Fill bag with enough plastic beads that most of the object is surrounded

3. Use vacuum sealer to remove air from the bag until the beads are no longer able to move

4. Take photographs of both sides of the sealed object using both the digital and polaroid camera

5. Date and sign the polaroid photographs and store them in a local lock box

6. Take the SD card to an online connected device, ensuring continued dual custody, and commit the tamper evidence photographs to a repository. If two individuals are present, have one create a PR with a signed commit, and the other do a signed merge commit.

Equipment Models

Computers Models

For Level 2 security, air-gapped computers which are used for cryptographic material management and operations are required.

• HP 13" Intel Celeron - 4GB Memory - 64GB eMMC, HP 14-dq0052dx, SKU: 6499749, UPC: 196548430192, DCS: 6.768.5321, ~USD $179.99

  • Illustrated Parts Catalog

• Lenovo 14" Flex 5i FHD Touchscreen 2-in-1 Laptop - Intel Core i3-1215U - 8GB Memory - Intel UHD Graphics, SKU: 6571565, ~USD $379.99

  • Disassembly Manual

• Purism Librem 14

• Nova Custom (Untested)

• NitroPad (Untested)

• Computers which are compatible which can be verified via this guide

SD Cards & Adapters

SD cards can be tamper proofed in packs of 4 to reduce the amount of tamper proofing that needs to be done.

Any high quality SD equipment can be used but below are some recommended products:

• Kingston Industrial 8GB SD Memory Card

• Kingston Indsutrial 8GB microSD Memory Card

• microSD to SD adapter

  • 64GB Kingston Canvas Select Plus Class 10 MicroSDXC Memory Card with SD Adapter (SDCS2/64GB)

• SD Card USB Adapters

  • SD card reader: https://www.kingston.com/en/memory-card-readers/mobilelite-plus-sd-reader

  • microSD card reader: https://www.kingston.com/en/memory-card-readers/mobilelite-plus-microsd-reader

  • Workflow station hub (may prove helpful with workflows): https://www.kingston.com/en/memory-card-readers/workflow-station-hub

Smart Cards

• NitroKey 3

• YubiKey 5